CVE-2026-20069
Analyzed Analyzed - Analysis Complete
Reflected XSS in Cisco ASA and FTD VPN Web Services

Publication date: 2026-03-04

Last updated on: 2026-06-02

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20069
EUVD
EUVD-2026-9468
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
cisco firepower_threat_defense_software From 6.4.0 (inc) to 7.0.9 (exc)
cisco firepower_threat_defense_software From 7.1.0 (inc) to 7.2.11 (exc)
cisco firepower_threat_defense_software From 7.3.0 (inc) to 7.4.3 (exc)
cisco firepower_threat_defense_software From 7.6.0 (inc) to 7.6.4 (exc)
cisco firepower_threat_defense_software From 7.7.0 (inc) to 7.7.11 (exc)
cisco adaptive_security_appliance_software From 9.12.1 (inc) to 9.16.4.85 (exc)
cisco adaptive_security_appliance_software From 9.17.1 (inc) to 9.18.4.66 (exc)
cisco adaptive_security_appliance_software From 9.19.1 (inc) to 9.20.4 (exc)
cisco adaptive_security_appliance_software From 9.22.1.1 (inc) to 9.22.2.4 (exc)
cisco adaptive_security_appliance_software From 9.23.1 (inc) to 9.23.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability affects the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. It is caused by improper validation of HTTP requests, which allows an unauthenticated remote attacker to perform browser-based attacks.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by tricking a user into visiting a malicious website that sends crafted HTTP requests to a vulnerable Cisco device with VPN web services enabled. This can lead to reflected malicious input being sent back to the user's browser, enabling attacks such as cross-site scripting (XSS). However, the attacker cannot directly compromise the device itself."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "The main impact of this vulnerability is on the users of affected devices rather than the devices themselves. An attacker can conduct browser-based attacks like cross-site scripting (XSS) by reflecting malicious input through the vulnerable device to the user's browser."}, {'type': 'paragraph', 'content': "This could lead to potential compromise of user sessions, theft of sensitive information, or execution of malicious scripts in the context of the user's browser. However, the attacker cannot directly affect the Cisco device or its operation."}] [1]

Compliance Impact

I don't know

Detection Guidance

To detect if your device is vulnerable to CVE-2026-20069, you should check the configuration of your Cisco Secure Firewall ASA or FTD device for specific VPN web services settings.

  • Use the command `show running-config` on Cisco Secure Firewall ASA devices to verify if either of the following configurations are enabled:
  • - Internet Key Exchange version 2 (IKEv2) Remote Access VPN with client services enabled (`crypto ikev2 enable client-services port`)
  • - SSL VPN (`webvpn enable`)

For Cisco Secure FTD Software, check if remote access VPN features are enabled via Cisco Secure Firewall Management Center (FMC) or Device Manager (FDM). Devices configured to accept only IKEv2 Remote Access VPN without client services enabled are not vulnerable.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no workarounds available for this vulnerability. The immediate and recommended mitigation step is to upgrade your Cisco Secure Firewall ASA or FTD software to the fixed software releases provided by Cisco.'}, {'type': 'paragraph', 'content': "Cisco provides a Software Checker tool to identify affected releases and the earliest fixed versions. It is advised to consult Cisco's official security advisory page and follow their detailed upgrade guides and compatibility documents."}, {'type': 'paragraph', 'content': 'If you require assistance, contact Cisco Technical Assistance Center (TAC) for support and entitlement to free upgrades.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart